trilium & authelia setup

hosts/sin/configuration.nix

@@ -17,7 +17,7 @@
     ./secrets.nix
     ./coredns
     ./copyparty.nix
-    # ./trilium.nix
+    ./trilium.nix
   ];
 
   boot.initrd.kernelModules = [ "usb_storage" ];
@@ -44,6 +44,8 @@
 
         3000 # gitea
 
+        config.services.trilium-server.port
+
         53
       ];
 

hosts/sin/jellyfin.nix

@@ -11,10 +11,9 @@ in
     extraPackages = with pkgs; [
       intel-media-driver
       intel-vaapi-driver
-      vaapiVdpau
+      libva-vdpau-driver
       intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
       vpl-gpu-rt # QSV on 11th gen or newer
-      intel-media-sdk # QSV up to 11th gen
     ];
   };
 
@@ -91,10 +90,18 @@ in
       enable = true;
       openFirewall = true;
       group = "starr";
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
     };
     prowlarr = {
       enable = true;
       openFirewall = true;
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
     };
     bazarr = {
       enable = true;
@@ -103,10 +110,18 @@ in
     lidarr = {
       enable = true;
       openFirewall = true;
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
     };
     whisparr = {
       enable = true;
       openFirewall = true;
+      settings = {
+        authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
+      };
     };
 
     jellyseerr = {

hosts/sin/trilium.nix

@@ -1 +1,9 @@
-{ ... }: { }
+{ ... }:
+{
+  services.trilium-server = {
+    enable = true;
+    port = 12783;
+    host = "0.0.0.0";
+    noAuthentication = true;
+  };
+}

hosts/thea/authelia.nix

@@ -49,10 +49,10 @@ in
         access_control = {
           default_policy = "deny";
           rules = [
-            {
-              domain = "radarr.shobu.fr";
-              policy = "bypass";
-            }
+            # {
+            #   domain = "radarr.shobu.fr";
+            #   policy = "bypass";
+            # }
             {
               domain = "*.shobu.fr";
               policy = "one_factor";

hosts/thea/lib/autheliaSnippets.nix

@@ -2,7 +2,7 @@
 {
   proxy = pkgs.writeText "proxy.conf" ''
     ## Headers
-    proxy_set_header Host $host;
+    # proxy_set_header Host $host;
     proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Host $http_host;

hosts/thea/nginx.nix

@@ -1,4 +1,9 @@
-{ inputs, pkgs, ... }:
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
 let
   # striped-front = inputs.striped-front;
 
@@ -18,81 +23,93 @@ in
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
+    typesHashMaxSize = 512;
+    mapHashMaxSize = 512;
+
     virtualHosts =
       let
-        mkStarr = host: port: {
+        mkVHost = host: port: {
           "${host}" = {
             enableACME = true;
             forceSSL = true;
 
             locations."/" = {
               proxyPass = "http://${sin-address}:${port}";
+            };
+          };
+        };
+        mkStarr = host: port: {
+          "${host}" = {
+            enableACME = true;
+            forceSSL = true;
+
+            extraConfig = ''
+              include ${authelia-snippets.authelia-location};
+            '';
+
+            locations."/api" = {
+              proxyPass = "http://${sin-address}:${port}";
               proxyWebsockets = true;
               extraConfig = ''
                 proxy_ssl_server_name on;
+              '';
+            };
+            locations."/" = {
+              proxyPass = "http://${sin-address}:${port}";
+              proxyWebsockets = true;
+              extraConfig = ''
+                include ${authelia-snippets.proxy};
+                include ${authelia-snippets.authelia-authrequest};
+
+                proxy_ssl_server_name on;
                 proxy_read_timeout 4800s;
               '';
             };
           };
         };
+        withAuthelia =
+          vhost: location:
+          (builtins.mapAttrs (
+            name: value:
+            (lib.recursiveUpdate value {
+              extraConfig = (if value ? extraConfig then value.extraConfig else "") + ''
+                include ${authelia-snippets.authelia-location};
+              '';
+              locations."${location}".extraConfig =
+                (
+                  if value.locations."${location}" ? extraConfig then
+                    value.locations."${location}".extraConfig
+                  else
+                    ""
+                )
+                + ''
+                  include ${authelia-snippets.proxy};
+                  include ${authelia-snippets.authelia-authrequest};
+                '';
+            })
+          ) vhost);
+        withWebsockets =
+          vhost: location:
+          (builtins.mapAttrs (
+            name: value:
+            (lib.recursiveUpdate value {
+              locations."${location}".proxyWebsockets = true;
+            })
+          ) vhost);
       in
       (
-        mkStarr "jellyfin.shobu.fr" "8096"
-        # // mkStarr "radarr.shobu.fr" "7878"
+        (withWebsockets (mkVHost "jellyfin.shobu.fr" "8096") "/")
+        // mkStarr "radarr.shobu.fr" "7878"
         // mkStarr "sonarr.shobu.fr" "8989"
         // mkStarr "prowlarr.shobu.fr" "9696"
         // mkStarr "bazarr.shobu.fr" "6767"
         // mkStarr "lidarr.shobu.fr" "8686"
         // mkStarr "whisparr.shobu.fr" "6969"
-        // mkStarr "jellyseerr.shobu.fr" "5055"
-        // mkStarr "transmission.shobu.fr" "9091"
-        // mkStarr "zimablade-admin.shobu.fr" "61208"
+        // mkVHost "jellyseerr.shobu.fr" "5055"
+        // mkVHost "transmission.shobu.fr" "9091"
+        // mkVHost "zimablade-admin.shobu.fr" "61208"
+        // (withWebsockets (withAuthelia (mkVHost "trilium.shobu.fr" "12783") "/") "/")
         // {
-          "radarr.shobu.fr" = {
-            enableACME = true;
-            forceSSL = true;
-
-            extraConfig = ''
-              include ${authelia-snippets.authelia-location};
-              error_log /var/log/nginx/debug_radarr.log debug;
-            '';
-
-            locations."/" = {
-              proxyPass = "http://${sin-address}:7878";
-              proxyWebsockets = true;
-              extraConfig = ''
-                include ${authelia-snippets.proxy};
-                include ${authelia-snippets.authelia-authrequest};
-
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
-
-                # From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f
-                # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
-                add_header Strict-Transport-Security "max-age=63072000; preload" always;
-                add_header Referrer-Policy strict-origin-when-cross-origin; 
-                add_header X-Content-Type-Options nosniff;
-                add_header X-XSS-Protection "1; mode=block";
-                add_header X-Frame-Options SAMEORIGIN;
-                add_header Content-Security-Policy upgrade-insecure-requests;
-                add_header Permissions-Policy interest-cohort=();
-                add_header Expect-CT 'enforce; max-age=604800';
-                more_set_headers 'Server: Proxy';
-                more_clear_headers 'X-Powered-By';
-
-                proxy_ssl_server_name on;
-              '';
-            };
-
-            locations."/api" = {
-              proxyPass = "http://${sin-address}:7878";
-              proxyWebsockets = true;
-              extraConfig = ''
-                proxy_ssl_server_name on;
-              '';
-            };
-
-          };
           "shobu.fr" = {
             enableACME = true;
             forceSSL = true;